System and method for the central control of devices used during an operation

ABSTRACT

The present invention relates to a system for the central control of devices ( 20, 52 ) used during an operation, comprising a first control unit ( 12 ) for control of said devices. The system is characterized in that a second control unit ( 14 ) is provided which is connected to the first control unit for exchange of information. The first control unit is embodied as closed system for control of at least those devices ( 20; 22 - 26 ) which carry out safety-related functions (safety-related devices), and the second control unit ( 14 ) is embodied as open system for control of the remaining devices ( 52 ) which carry out non safety-related functions (non safety-related devices). The invention further relates to a method for the central control of devices.

CROSSREFERENCES TO RELATED APPLICATIONS

This application is a continuation of copending international patentapplication PCT/EP01/10189 filed Sep. 5, 2001 and designating U.S.,which claims priority of European Application EP 00 119 179.0 filed Sep.5, 2000.

BACKGROUND OF THE INVENTION

The present invention relates to a system and a method for the centralcontrol of devices, particularly medical devices, which are used duringan operation, comprising a first control unit for control of thedevices.

For ergonomic reasons it is desirable to be able to remote control andcontrol, respectively, the control device of all systems required duringan operation from a central position, if possible out of a sterile area.Such a control may be carried out for example via a touch-screen (with asterile cover) or via a voice control. The controlled devices andsystems, respectively, may comprise for example endoscopic devices, aswell as an op-table, op-lighting, room lighting, air conditioning,telephone, pager, internet, hospital-information system, consumptionparts, management system and so on.

In view of the control of medical devices document DE 199 04 090 A1 forexample discloses to interconnect single devices via a CAN-bus, thesingle devices being used as slaves and a host computer as master. Alldevices are controllable via this host computer.

The disadvantage of such a network is for example that the software- andhardware-efforts to be taken for the single host computer are very highsince it has to be adapted to the device to be controlled having tofulfill the highest safety requirements. In view of devices to becontrolled without having to fulfill these high safety requirements itmay be possible that flexibility and simplicity of the handling may belost.

If the single host computer is designed by applying a less stringentstandard with respect to safety aspects, the risk would arise (forexample for a PC with standard software like Windows-NT), however, saidsafety-related functions would be endangered by unreliable functions ofnon safety-related systems.

In this case it is assumed that the mentioned medical devices may bedivided into two different groups, namely safety-related systems on theone hand, as for example endoscopic devices (insufflators, pumps, orRF-surgery and so on), op-table-control etc., namely devices or systemswhich may be life-threatening for a patient in the event of a breakdownor failure, and non-safety-related systems on the other hand, likepicture archiving, material management systems, telephone remote controletc.

SUMMARY OF THE INVENTION

In view of the above the object of the present invention is to providefor a system and a method, respectively, which do not have the beforementioned disadvantages. Particularly it is to increase the safety inrespect to the control of safety-related devices.

This object is solved by the system of the afore-mentioned kind byproviding a second control unit which is connected with the firstcontrol unit for exchange of information, and the first control unit isembodied as a closed system for control of at least those devices whichcarry out safety-related functions (safety-related devices) and thesecond control unit is embodied as an open system for control of theremaining devices which carry out non safety-related functions (notsafety-related devices).

This means in other words that the inventive system does not use asingle host computer at has been done up to now, but uses two controlunits instead which are each assigned to different groups of devices tobe controlled. When assigning the devices to be controlled to thosecontrol units it is assumed that there are generally devices forcarrying out safety-related functions (for example endoscopic devices)and on the other hand devices for carrying out non-safety-relatedfunctions, like room lightening, air conditioning etc., during anoperation.

In this connection the term “closed system” describes a system whichdoes not allow any intervention from outside the system.

Such a system cannot be manipulated, reconfigured etc. neither by a userdirectly nor via the internet etc. In contrast thereto an open systemmay be configured or for example supplemented by a user. Here,interventions and manipulations, respectively, from outside arepossible.

The advantage of the inventive system is among others that the provisionof a further control unit increases the safety with respect to undesirederroneous or faulty functions without limiting the flexibility of thewhole system thereby. Due to the fact that on the second control unitsoftware may be used which have not to fulfill such stringent safetyrequirements as it is the case for the control of safety-relateddevices, standard software may be used so that the single investmentcosts on the one hand as well as the running maintenance costs of thetotal system on the other hand may be reduced.

A further advantage of the inventive system is that the first controlunit which is responsible for the control of the safety-related devicesis embodied as a closed system which secures that all attempts tomanipulate the operating system are disabled. Moreover alsomanipulations of the applications for controlling the safety-relateddevices are impossible.

At this point it is to be noted, however, that on the first control unitalso applications for control of non safety-related devices could runprovided that these applications have been tested under safety aspectsbefore.

Advantageously, those control units are each part of independentcomputers (PC's). Of course, it is also contemplated that those controlunits are integrated in one computer which comprises at least twoprocessors (CPU) with one control unit being realized by one processor.

When using a single host computer and considering such requirements itwould not be possible to carry out the control of non safety-relateddevices with the desired simplicity and flexibility. Moreover the riskwould always arise that erroneously programmed software for the nonsafety-related devices would influence the control of safety-relateddevices.

In a preferred embodiment the first control unit and the safety-relateddevices are interconnected via a bus-system preferably the KarlStorz-communication-bus (SCB®). Preferably, the non safety-relateddevices and the second control unit are interconnected via a furtherbus-system, both bus-systems preferably being different.

These measures result in a simplification of the system as well as to areduction of the total costs since the especially designed bus-systemfor safety-related functions is not used for the control of everydevices. Rather also conventional standard bus-systems may be used.Hence the expensive safety bus-system is only used for theinterconnection of the safety-related devices.

In a preferred embodiment an interface unit is provided which isconnected with both control units on the one hand and with peripheraldevices on the other hand and which connects each of the control unitswith the peripheral devices. Preferably, the interface unit iscontrolled by the first control unit via a control line. More preferablythe peripheral devices comprises a monitor device and/or an inputdevice, preferably a keyboard and a mouse. More preferably, the monitordevice is provided as a touch-screen also allowing an input.

These above mentioned measures result in the advantage that the costsfor the total system are reduced on the one hand and the handling issignificantly simplified on the other hand since the peripheral devicesrequired for input of control instructions or for monitoring ofparameters are provided only once. The surgeon has not to observe pluralmonitor devices hence. Further, the control line between the interfaceunit and the first control unit guarantees that the control unitcontrolling the important safety-related devices also allows therespective necessary function and displays the important safety-relatedparameters on the touch-screen in case of a breakdown and an failure,respectively, of the second control unit. Altogether, also an increaseof the safety level of the system is achieved.

In a preferred embodiment the second control unit comprises a receivingmeans to capture error messages from the first control unit and todisplay them on one of the peripheral devices.

This measure has the advantage that also in case of a connection of thesecond control unit with the interface unit for the control of nonsafety-related devices error messages concerning safety-related devicesare immediately provided to the user of the system. It may hence beavoided that the display of such error messages is only signaled to theuser upon re-switching the connection from the first control unit to theperipheral devices. Consequently, this has the advantage that the safetyof the total system is further increased.

Preferably the safety-related devices include endoscopic devices,preferably insufflators, pumps, light sources, video devices and forexample op-table-controllers etc. The non safety-related devices includefor example picture archiving, op-lighting, room lighting, telephone,air conditioning, pager, internet, hospital system, consumption parts,management systems, etc.

It is further preferred to interconnect both control units via anEthernet-bus (TCP/IP-protocol), since this type of bus-system has beenproved as reliable and cost effective.

In a preferred embodiment the first control unit comprises an embeddedoperating system, preferably “embedded windows NT”, which is protectedagainst interventions from outside the system.

This means in other words that the operating system of the first controlunit is a fixed component of the unit and is hence protected againstmanipulations. The user may not carry out any interventions into theoperating system. This would be possible for example with current PC's.Hence, it is avoided that specific safety-related functions can not becarried out anymore or are carried out erroneously due to intentional orunintentional interventions into the operating system.

In a preferred embodiment the first control unit comprises a check meanswhich cyclically checks the connection with the interface unit andoutputs an error message if a connection is not present.

Also this measure results in an increase of safety because the systemsignalizes the user immediately when a display and a setup,respectively, of respective parameters of safety-related devices are notpossible anymore due to the failure of the interface unit.

In a preferred embodiment the first control unit comprises a voicecontrol, for example in form of a software module.

This measure has the advantage that the operation by the surgeon issimplified.

The object underlying the present invention is also solved by a methodfor the central control of devices used during an operation in that thedevices for the control of safety-related functions are controlled by afirst control unit and the devices for carrying out non safety-relatedfunctions are controlled by a second control unit.

This method allows to realize the advantages mentioned in connectionwith the afore-mentioned inventive system in the same manner so that theadvantages may not be described here anymore.

In a preferred embodiment both control units communicate with eachother, while preferably the first control unit checks the second controlunit for faults. It is further preferred to provide for an interfaceunit which is controlled by the first control unit and which in responsethereto forwards signals either from the first or the second controlunit to a common peripheral device.

This measure has—as already mentioned—the advantage that the costs ofthe system are reduced and the ease of operation is increased.

In a preferred embodiment the first control unit will drive theinterface unit in case of a failure of the second control unit such thatthe signals of the first control unit are forwarded to the peripheraldevices.

This means in other words that the first control unit ensures that afailure in the second control unit does not result in the breakdown ofthe connection between the first control unit and the peripheraldevices.

In a preferred embodiment the interface unit forwards the signals of thefirst control unit to the peripheral devices immediately if asafety-related function is to be carried out.

This measure has the advantage that the important functions are possiblealso when the present connection between the second control unit and theperipheral devices is present. The result is an increase of safety.

In a preferred embodiment the interface unit forwards the signals of thesecond control unit to the peripheral devices after activating a nonsafety-related function only when the safety-related function iscompleted and completely carried out, respectively. This means in otherwords that the execution of safety-related functions cannot beinterrupted by switching the interface unit. Rather, the execution ofthe safety-related function is carried out up to the end and only thanthe interface unit will build up the connection between the secondcontrol unit and the peripheral devices.

Further advantages and embodiments of the invention can be taken fromthe following description and the enclosed drawings.

It is to be understood that the features mentioned above and those yetto be explained below can be used not only in the respectivecombinations indicated, but also in other combinations or in isolation,without leaving the scope of the present invention.

BRIEF DESCRIPTION OF THE DRAWING

The invention will now be described in detail with reference to aFIGURE, the FIGURE showing a schematic block diagram of an inventivesystem.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

In the FIGURE a system for the central control of devices used during anoperation is shown as a block diagram and is indicated with referencenumeral 10. The system 10 comprises a first computer unit 12 and asecond computer unit 14. Both computer units 12, 14 are interconnectedvia a bus-connection 16, for example an Ethernet-bus-connection, inorder to exchange data in form of messages.

Both computer units 12, 14 are provided as medical PC's, wherein thefirst computer unit 12 uses an embedded operating system, preferably an“embedded windows NT”-operating system. The second computer unit 14operates preferably with a common windows operating system or an othernon embedded operating system.

The first computer unit 12 serves at least for the control of medicaldevices, witch carry out safety-related and safety critical functions,respectively. In the FIGURE, these safety-related devices are indicatedwith reference numeral 20. For example, in the FIGURE, a pump 25, aninsufflator 24 and RF generator 26 are shown. These exemplaryenumeration of three devices is not to be understood in any limitingsense what is indicated in the FIGURE by further devices n and m.Furthermore, the first computer unit 12 may also be used for the controlof non safety-related devices provided that respective tested softwareis used. However, this possibility will not be further discussed below.

The communication between the first computer unit 12 and thesafety-related devices 20 is achieved via a bus-system 28 which allows asafe transmission of data. In view of this bus-system 28 otherrequirements with respect to fail safety has to be considered as is thecase in the afore-mentioned Ethernet-bus 16. The applicant offers such abus-system for example under the name Karl Storz-Communication-Bus(SCB®).

The system 10 further comprises a switching unit 30. The switching unit30 is connected with its input side to the computer unit 12 and thecomputer unit 14, wherein in the FIGURE only one connection line 33, 35each is exemplarily shown. It is to be understood that these connectionlines 33, 35 comprise a plurality of single connection lines.

On the output side the switching unit 30 is connected with peripheraldevices 40, wherein in the FIGURE a touch sensitive monitor 42 (calledtouch-screen), an input keyboard 44 as well as a mouse 46 are shown asan example. The peripheral devices 40 are located for example in thedirect sphere of the surgeon in the operation room so that theseperipheral devices 40 have to be adapted accordingly. The touch-screen42 is for example provided with a sterile cover.

The connection of the peripheral devices 40 with the switching unit 30is made via respective lines 48, wherein for simplification reasons onlyone line is shown each representing a plurality of connecting lines.

A switching unit 30 has the task to connect each peripheral device 42 to46 with one of both computer units 12, 14 so that the input and thedisplay, respectively, of data is possible.

The control of the switching unit 30 is provided by the first computerunit 12, and respective control signals may be transmitted to theswitching unit 30 via a control line 38.

The second computer unit 14 is connected (indirect-coupled) with thedevices 52 via an optical bus 50, which devices carry out nonsafety-related functions. Such functions are for example telephoneremote control, room lighting, etc. The control of these nonsafety-related devices is hence achieved by the second computer unit 14.

As already mentioned, the first computer unit 12 is equipped with anembedded operating system. This should guarantee that interventions intothe systems or manipulations of the systems from outside are notpossible. The first computer unit 12 is rather a embodied as a closedsystem on which only tasks are running which are required for thecontrol of the safety-related devices 20. Also, tasks may runadditionally which serve to control the non safety-related devices 42 incase that these tasks are tested in view of safety aspects before.

The second computer unit 14 is however provided as a common medical PC.In contrast to the first computer unit 12 no tasks are allowed to run onthe second computer unit 14, which tasks serve to control safety-relateddevices.

Both computer units 12, 14 supply data by the respective lines 33, 35 tothe switching unit 30 and depending on the “position” of the switchingunit only the data of one of both computer units are displayed on thetouch-screen 42. Also the input of data is carried out only in thiscomputer unit. In case that the surgeon wants to select for examplefunctions of the other group of devices, he may do this via a respectiveinput of an instruction which is either directly received by the firstcomputer unit 12 or indirectly received via the computer unit 14 and thebus 16 by the first computer unit 12. In response thereto it transmits arespective control signal via the control line 38 causing a switching inthe switching unit 30. On the touch-screen 42 the respective data,selecting menus etc. of the selected group of devices will than bedisplayed.

In case of a connection between the second computer unit 14 with theperipheral devices 40 it is necessary that any error messages relatingto safety-related devices 20 are immediately signalized to the surgeonindependent of the switch condition of the switching unit 30 via thetouch-screen 42. For this, a task is running in the second computer unit14 which continuously checks the messages sent by the first computerunit 12 via the bus 16 for failure messages. If an error message isdetected the second computer unit 14 ensures that a window is opened onthe touch-screen in which the error message is displayed.

A further task of the first computer unit 12 is to check the presence ofthe switching unit 30. If the switching unit 30 cannot be detectedanymore by the first computer unit 12 for example due to breakdown, thefirst computer unit 12 must immediately generate an error message. Thiserror message is to signalize the surgeon that an appropriate displayand an input of data via the peripheral devices 40 may not be guaranteedanymore.

Further it is necessary that the first computer unit 12 checks thesecond computer unit 14 and in case of a failure the switching unit 30is immediately set in those switching conditions in which the firstcomputer unit 12 is connected with the peripheral devices 40.

Under safety aspects it is also necessary that when inputting aninstruction for switching the peripheral devices 40 to the secondcomputer unit 14 all not yet completed functions of the safety-relateddevices 20 are first completed with a respective display of theparameters. This is to guarantee that the execution of thesesafety-related functions is not terminated to early. In the reversecase, however the peripheral devices 40 are immediately connected withthe first computer unit 12 so that a safety-related function may becarried out without any delay.

It is to be understood that the invention may be realized not only inform of the afore-mentioned embodiment but also in other embodiments.The scope of such modifications is only defined by the appended claims.

1. A method for the central control of devices used during an operation,the method comprising: using at least one safety-related device toperform safety-related functions; using at least one non-safety-relateddevice to perform only non-safety-related functions; connecting a firstcontrol unit to a second control unit; using the first control unitembodied as a closed system to control at least the safety-relateddevices; using the second control unit embodied as an open system tocontrol only non-safety-related; and controlling an interface unit withthe first control unit to forward signals from the first or the secondcontrol unit to a common peripheral device; wherein the first controlunit drives the interface unit upon an error of the second control unitsuch that the signals of the first control unit are forwarded to theperipheral device.
 2. The method of claim 1, further comprising checkingthe second control unit for faults with the first control unit.
 3. Themethod of claim 1, wherein the interface unit immediately forwards thesignals of the first control unit to the peripheral device if asafety-related function is to be carried out.
 4. The method of claim 3,wherein after activating a non-safety-related function the interfaceunit forwards the signals of the second control unit to the peripheraldevice only if the safety-related function is completed.
 5. The methodof claim 1, wherein the at least one non-safety-related device islocated in an operating room.
 6. The method of claim 5, wherein thesecond control unit is located in the operating room.
 7. A method forthe central control of devices used during an operation, the methodcomprising: providing at least one device that performs safety-relatedfunctions; providing at least one device that performs onlynon-safety-related functions; connecting a first control unit to thedevices that perform safety-related functions; connecting a secondcontrol unit to the devices that perform only non-safety-relatedfunctions; connecting the first control unit to the second control unit;using the first control unit to control the safety-related functionsperformed by the devices connected to the first control unit; using thesecond control unit to control only the non-safety-related functionsperformed by the devices connected to the second control unit; andcontrolling an interface unit with the first control unit to forwardsignals from the first or the second control unit to a common peripheraldevice; wherein the first control unit drives the interface unit upon anerror of the second control unit such that the signals of the firstcontrol unit are forwarded to the peripheral device.
 8. A system for thecentral control of devices used during an operation, comprising: aplurality of devices including at least one device that performssafety-related functions and at least one device that performs onlynon-safety-related functions; a first control unit connected to thedevices that perform safety-related functions, wherein said firstcontrol unit is embodied as a closed system that controls the devicesthat perform safety-related functions; a second control unit connectedto the devices that perform only non-safety-related functions, whereinsaid second control unit is embodied as an open system that does notcontrol any of the devices that perform safety-related functions, andwherein said second control unit is connected to said first control unitand exchanges information with said first control unit; and an interfaceunit and a common peripheral device, wherein said first control unitcontrols said interface unit to forward signals from said first orsecond control unit to the common peripheral device; wherein said firstcontrol unit drives said interface unit upon an error of said secondcontrol unit such that the signals of said first control unit areforwarded to said peripheral device.
 9. The system of claim 8, whereinsaid first control unit checks said second control unit for faults. 10.The system of claim 8, wherein said interface unit immediately forwardsthe signals of said first control unit to said peripheral device if asafety-related function is to be carried out.
 11. The system of claim10, wherein after activating a non safety-related function saidinterface unit forwards the signals of said second control unit to saidperipheral device only if the safety-related function is completed. 12.System of claim 8, further comprising a bus system by which said firstcontrol unit and said safety-related devices are interconnected. 13.System of claim 12, further comprising a second bus system by which saidsecond control unit and said non safety-related devices areinterconnected.
 14. The system of claim 12, wherein said first controlunit checks said second control unit for faults.
 15. System of claim 8,further comprising an interface unit connected to said first and secondcontrol units.
 16. System of claim 8, further comprising a touch-screen.17. System of claim 8, wherein said second control unit comprises areceiving means to capture error messages from said first control unit.18. The system of claim 8, wherein said safety-related devices-includeat least one endoscopic device.
 19. The system of claim 18, wherein saidat least one endoscopic device includes at least one of an insufflator,a pump, a light source, or a video device.
 20. The system of claim 8,wherein said non safety-related devices include at least one of apicture archiving device, OP-lighting, room lighting, a telephone, airconditioning, a pager, an internet connection, a hospital system,consumption parts, and a management system.
 21. The system of claim 8,further comprising an Ethernet bus by which said first and secondcontrol units are interconnected.
 22. The system of claim 8, whereinsaid first control unit comprises a voice control unit.
 23. The systemof claim 8, wherein said first and second control units comprise a dualprocessor computer unit.
 24. The system of claim 8, wherein the at leastone device that performs only non-safety-related functions is located inan operating room.
 25. The system of claim 24, wherein the secondcontrol unit is located in the operating room.
 26. A system for thecentral control of both safety-related devices and non-safety-relateddevices during an operation, comprising: a first control unit that isconfigured to operate as a closed system to control the safety-relateddevices when the safety related devices are connected thereto; a secondcontrol unit that is configured to operate as an open system to controlthe non-safety-related devices when the non-safety-related devices areconnected thereto; wherein said second control unit is configured tocontrol only the non-safety-related devices; and wherein said secondcontrol unit is connected to said first control unit and exchangesinformation with said first control unit; and an interface unit and acommon peripheral device, wherein said first control unit controls saidinterface unit to forward signals from said first or second control unitto the common peripheral device; wherein said first control unit drivessaid interface unit upon an error of said second control unit such thatthe signals of said first control unit are forwarded to said peripheraldevice.